dcf9f6cf665005908ce527ad2f5b86170e4b1630a1f2a2d5779c9160eee0af4a

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f11201a597da60exeexeexeex.exe
Size

119KB
MD5

f11201a597da60630a6c2f322c15bf03
SHA1

e9fa740eac5dff41c5273ee60f5c92d6c1bceecd
SHA256

dcf9f6cf665005908ce527ad2f5b86170e4b1630a1f2a2d5779c9160eee0af4a
SHA512

8717eaf66c1053616cc4e51fa525a7343448c4b549a534a7fe699af4a90e2a41ca85066b07bcd9864da0fe3e8ba8ce70d04182d7f17b1e02f0dd5855e3d230f6
SSDEEP

1536:qkmnpomddpMOtEvwDpjJGYQbN/PKwNgp699GNtL1eUu:AnBdOOtEvwDpj6zZ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2288	asih.exe

Loads dropped DLL 1 IoCs

pid	Process
1336	f11201a597da60exeexeexeex.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012275-63.dat	upx
behavioral1/memory/1336-67-0x0000000000500000-0x000000000050F000-memory.dmp	upx
behavioral1/files/0x000b000000012275-66.dat	upx
behavioral1/files/0x000b000000012275-75.dat	upx
behavioral1/memory/2288-76-0x0000000000500000-0x000000000050F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2288	1336	f11201a597da60exeexeexeex.exe	29
PID 1336 wrote to memory of 2288	1336	f11201a597da60exeexeexeex.exe	29
PID 1336 wrote to memory of 2288	1336	f11201a597da60exeexeexeex.exe	29
PID 1336 wrote to memory of 2288	1336	f11201a597da60exeexeexeex.exe	29

C:\Users\Admin\AppData\Local\Temp\f11201a597da60exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\f11201a597da60exeexeexeex.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\asih.exe
  "C:\Users\Admin\AppData\Local\Temp\asih.exe"
  2⤵
  - Executes dropped EXE
  PID:2288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
120KB

MD5
ef69f4d0b546be184e6f7a883ced10d1

SHA1
f2c2a96ad487d245f17bcdc56e5a54b412b9cbf3

SHA256
0b1ab91a61bcd35a5007d570923ac1b63fcbf4b4d82290b84b62389a28d9ce52

SHA512
36bf27ccb5399f004dd0a69500cd29b8c9d079ecaf34d0ed3ec2d7f21539608954bea94e7dc63aff6f6e9d81e64f55d03e998b607e3ee0dcdddc082309ec5732

Download Submit
C:\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
120KB

MD5
ef69f4d0b546be184e6f7a883ced10d1

SHA1
f2c2a96ad487d245f17bcdc56e5a54b412b9cbf3

SHA256
0b1ab91a61bcd35a5007d570923ac1b63fcbf4b4d82290b84b62389a28d9ce52

SHA512
36bf27ccb5399f004dd0a69500cd29b8c9d079ecaf34d0ed3ec2d7f21539608954bea94e7dc63aff6f6e9d81e64f55d03e998b607e3ee0dcdddc082309ec5732

Download Submit
\Users\Admin\AppData\Local\Temp\asih.exe

Filesize
120KB

MD5
ef69f4d0b546be184e6f7a883ced10d1

SHA1
f2c2a96ad487d245f17bcdc56e5a54b412b9cbf3

SHA256
0b1ab91a61bcd35a5007d570923ac1b63fcbf4b4d82290b84b62389a28d9ce52

SHA512
36bf27ccb5399f004dd0a69500cd29b8c9d079ecaf34d0ed3ec2d7f21539608954bea94e7dc63aff6f6e9d81e64f55d03e998b607e3ee0dcdddc082309ec5732

Download Submit
memory/1336-54-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1336-55-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1336-67-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download
memory/2288-69-0x00000000004D0000-0x00000000004D6000-memory.dmp

Filesize
24KB

Download
memory/2288-76-0x0000000000500000-0x000000000050F000-memory.dmp

Filesize
60KB

Download